Proxy servers are widely used by Internet Service Providers (ISPs) for performance improvement as well for enhanced security. A proxy server typically functions by intercepting layer-4 and/or application layer traffic to/from the end-user device and then performs specialized operations such as serving cached content, filtering malicious content, using the most optimal Quality of Service (QoS) based on the content type etc. While performing these functions, the proxy server acts on behalf of the end-user device and therefore the splits the traffic path into two segments: traffic between the end-user device and the Proxy server and the traffic between Proxy server and the origin server.
FIG. 1 illustrates a simplified example of the use of Proxy server in a network. In the illustrated example, proxy server 134 can be implemented as a computing system or an application that can be configured to act as an intermediary between the end-user device 132 and a web server (e.g., an origin server 138), which can be accessed via the Internet 136. Proxy servers such as proxy server 134 typically intermediate to handle requests for services or resources from one or more end-user devices 132. In operation, the end-user device 132 connects to the proxy server and requests service from another server such as, for example, origin server 138. The service can include, for example, a file, a connection, a webpage, or other resource available from origin server 138. The proxy server receives the request and communicates with origin server 138 as a proxy for the end-user. Although one end-user device 132 and one origin server 138 are illustrated, proxy servers 134 can typically handle traffic among multiple end-user devices 132 and origin servers 138.
The traffic between proxy server 134 and origin server 112, 114, as seen by origin server 138 or any intermediate devices, originates and terminates on proxy server 134. The source IP address of originating traffic 112 is that of proxy server 134 and not that of the end-user device on whose behalf the proxy server is requesting the content. One of the core functions of proxy server 134 is the identification and tracking of individual traffic flows. The start or end of a traffic flow is dependent on the type of layer-4 and/or application protocol but usually has very well defined interactions.
As an example, in the case of TCP layer-4 protocol, the 3-way handshake is a well-defined indicator for start of a traffic flow and at any point in time, the TCP 5-tuple (Source Address, Source Port, Destination Address, Destination Port and Protocol) uniquely identifies a traffic flow. TCP half close interactions can be used as an indicator for end of the traffic flow. In the case of HTTP application layer protocol, a HTTP transaction/flow starts with the receipt HTTP request message (e.g. GET, POST, PUT, HEAD etc.). The proxy server tracks the HTTP flow by matching the requests and the corresponding responses (200 OK, 302 Found, 404 Not Found etc.). The receipt of a complete response (which can span multiple TCP segments) marks the end of the HTTP transaction/flow. At any instant proxy server 134 has complete state information on all flows between end-user device 132 and itself as well as the corresponding traffic flows between itself and origin server 138.
The presence of the proxy server's IP address in the traffic 114 can prevent the use of applications such as legal interception, traffic shaping or geolocation, which rely on the source IP address to perform their functions. To enable the use of such specialized functions, the source IP address of the traffic from the proxy server is ideally that of the end-user device. The use of end-user device's 132 IP address as the source address in traffic originating from proxy server is referred to as Source IP Address Transparency. One conventional solution for achieving Source IP address transparency is the use of specialized device/application to perform layer-4 switching.
FIG. 2 illustrates an example of the use of Layer-4 switching device/application for implementing Source IP address transparency. As seen in FIG. 2, this example includes a layer 4 switch, or application, 140 providing an interface for proxy server 134. The layer-4 switching device/application 140 in various implementations is capable of identifying traffic flows. Using configuration and run time control information, the layer-4 switch/application 140 can be configured to alter the IP and layer-4 (e.g. TCP) header contents. This capability of the layer-4 switch/application 140 may be used to insert the IP address of end-user device 132 in the IP packets carrying the layer-4 segments. Accordingly, in the example of FIG. 2, at signal paths 164 and 165, the source IP address is that of end-user device 132; at signal path 166 the source IP address is that of proxy server 134; and at paths 168, the source IP address is that of end-user device 132. Also illustrated is control signaling 162 to allow the proxy server to control layer-4 switch 140.
Commercial off the shelf layer-4 switching devices are available for inspecting layer-4 traffic flows and then performing variety of functions including switching of source IP addresses. The use of a separate device may provide fast time-to-market advantage but it can have the disadvantage of increased equipment cost. There are also system redundancy issues that need to be considered when using a standalone layer-4 switching device. Implementing layer-4 switching function as standalone software application within the proxy server is a possible alternative to the use of separate device. However, implementation of layer-4 switching has its own development costs, processing complexity, scaling issues as well as software maintenance costs.